Skip to main content

ggshield hmsl check

Beta program

Please note that Has My Secret Leaked features are currently in beta.


Check if secrets have leaked.

ggshield hmsl check [OPTIONS] PATH

Note: Secrets can be read from stdin using ggshield hmsl check -.


  • --json: Use JSON output.

  • -f, --full-hashes: Put the full hashes into the payload instead of the prefixes. This is useful for partners that trust GitGuardian because it allows to send more hashes per batch, and consumes less credits, but leaks more data to GitGuardian.

  • -n, --naming-strategy [censored|cleartext|none|key]: Strategy to generate the hints in the output.

    • censored: only the first and last characters are displayed.
    • cleartext: the full secret is used as a hint (Not recommended!).
    • none: no hint is generated.
    • key: the key name is selected if available (e.g. in .env files), otherwise censored is used.

    Default: key.

  • -t, --type [file|env]: Type of input to process.

    • file: the input is a simple file containing secrets.
    • env: the input is a file containing environment variables.

    Default: file.

This command supports all ggshield global options.


Given a secrets.txt file containing:

$ ggshield hmsl check secrets.txt
Collecting secrets...
Collected 3 secrets.
Querying HasMySecretLeaked...
97 credits left for today.
Found 2 leaked secrets.

> Secret 1
Secret name: "hjshnk5**************************89sjkja"
Secret hash: "e9b39209f72228f30b60c19493a3f756ac97dc02ae7f52db2a3abbe3c3269339"
Distinct locations: 96
First occurrence:
URL: ""

> Secret 2
Secret name: "sup3*************orGG"
Secret hash: "d775db0302080c1b7516109e929dd4b214a0f353ed3b66ff2e56c47d55a102ed"
Distinct locations: 33
First occurrence:
URL: ""

Here’s an additional example when nothing is found:

$ ggshield hmsl check secrets2.txt
Collecting secrets...
Collected 1 secrets.
Querying HasMySecretLeaked...
99 credits left for today.
All right! No leaked secret has been found.